From 0f33bd483f24548462de5d3e1ebf2a11d476965a Mon Sep 17 00:00:00 2001 From: Martin Leduc <31558169+DecimalTurn@users.noreply.github.com> Date: Thu, 6 Jun 2024 20:33:02 -0400 Subject: [PATCH 1/3] Edit regex to exclude comments --- oletools/olevba.py | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/oletools/olevba.py b/oletools/olevba.py index a44bb777..b22decb6 100644 --- a/oletools/olevba.py +++ b/oletools/olevba.py @@ -2183,7 +2183,7 @@ def detect_autoexec(vba_code, obfuscation=None): for keyword in keywords: #TODO: if keyword is already a compiled regex, use it as-is # search using regex to detect word boundaries: - match = re.search(r'(?i)\b' + re.escape(keyword) + r'\b', vba_code) + match = re.search(r'(?i)^(?:[^\']|\b).*\b' + re.escape(keyword) + r'\b', vba_code) if match: found_keyword = match.group() results.append((found_keyword, description + obf_text)) @@ -2192,7 +2192,7 @@ def detect_autoexec(vba_code, obfuscation=None): for keyword in keywords: #TODO: if keyword is already a compiled regex, use it as-is # search using regex to detect word boundaries: - match = re.search(r'(?i)\b' + keyword + r'\b', vba_code) + match = re.search(r'(?i)^(?:[^\']|\b).*\b' + keyword + r'\b', vba_code) if match: found_keyword = match.group() results.append((found_keyword, description + obf_text)) @@ -2218,7 +2218,7 @@ def detect_suspicious(vba_code, obfuscation=None): for keyword in keywords: # search using regex to detect word boundaries: # note: each keyword must be escaped if it contains special chars such as '\' - match = re.search(r'(?i)\b' + re.escape(keyword) + r'\b', vba_code) + match = re.search(r'(?i)^(?:[^\']|\b).*\b' + re.escape(keyword) + r'\b', vba_code) if match: found_keyword = match.group() results.append((found_keyword, description + obf_text)) @@ -2226,7 +2226,7 @@ def detect_suspicious(vba_code, obfuscation=None): for keyword in keywords: # search using regex to detect word boundaries: # note: each keyword must NOT be escaped because it is an actual regex - match = re.search(r'(?i)\b' + keyword + r'\b', vba_code) + match = re.search(r'(?i)^(?:[^\']|\b).*\b' + keyword + r'\b', vba_code) if match: found_keyword = match.group() results.append((found_keyword, description + obf_text)) From ab4a52e8683127199ec8c592e90be135bdc29d91 Mon Sep 17 00:00:00 2001 From: Martin Leduc <31558169+DecimalTurn@users.noreply.github.com> Date: Thu, 27 Jun 2024 04:07:33 -0400 Subject: [PATCH 2/3] Add devcontainer.json --- .devcontainer/devcontainer.json | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 .devcontainer/devcontainer.json diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json new file mode 100644 index 00000000..9d568587 --- /dev/null +++ b/.devcontainer/devcontainer.json @@ -0,0 +1,19 @@ +{ + "image": "mcr.microsoft.com/devcontainers/universal:2", + "hostRequirements": { + "cpus": 4 + }, + "waitFor": "onCreateCommand", + "updateContentCommand": "python3 -m pip install -r requirements.txt", + "postCreateCommand": "", + "customizations": { + "codespaces": { + "openFiles": [] + }, + "vscode": { + "extensions": [ + "ms-python.python" + ] + } + } + } \ No newline at end of file From 6e4583d3d7320c92a94bc9c9fedd85138f0fe56f Mon Sep 17 00:00:00 2001 From: Martin Leduc <31558169+DecimalTurn@users.noreply.github.com> Date: Thu, 27 Jun 2024 04:11:14 -0400 Subject: [PATCH 3/3] add extension --- .devcontainer/devcontainer.json | 1 + 1 file changed, 1 insertion(+) diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json index 9d568587..56b38618 100644 --- a/.devcontainer/devcontainer.json +++ b/.devcontainer/devcontainer.json @@ -12,6 +12,7 @@ }, "vscode": { "extensions": [ + "EditorConfig.EditorConfig", "ms-python.python" ] }